Canberra reviewing online Medicare lookup after data breach

Insider with a login, rather than an outsider with a hack, seems culprit for darkweb privacy panic

It looks like the government's figured out how Australians' Medicare numbers were leaking and ending up on a Tor trading site: an insider abusing a login.

Lsat week, the existence of “The Medicare Machine” became public after a journalist for The Guardian purchased his own Medicare information from the site for $30 worth of Bitcoin. It's believed fewer than 100 card numbers (with names) were traded since last year.

Last week, human services minister Alan Tudge said the breach looked like “traditional criminal activity” rather than a “cyber security breach”.

While still describing it as an “alleged breach”, Tudge and health minister Greg Hunt this morning issued a media release announcing a review into a widely-used online Medicare lookup, the Health Professionals Online Services (HPOS) system.

Hospitals, general practitioners and others can use the online portal or a phone system to check the Medicare eligibility of patients who turned up without their card. That system is widely-available and heavily-used by design: the government press release saying it's accessed 45,000 times a day.

When the breach became public, HPOS was the subject of almost immediate speculation because the small scale of the breach didn't gel with the idea that someone had swiped millions of Medicare records and because HPOS is so widely available it would be hard to guarantee that nobody abused the system.

The one-bad-apple theory seems confirmed by the government deciding to put Professor Peter Shergold in charge of a review into who can access the system. Shergold will be joined by representatives of the Australian Medical Association, the Royal Australian College of General Practitioners, and a public service secretariat.

The media statement adds that the system “has to be both convenient and utterly secure. The Review team will examine this balance to determine its adequacy in today's context.”